Application Data Retention (Updated)

As many who follow news on privacy and technology know, Canada’s Privacy Commissioner Jennifer Stoddart recently issued a report criticizing Facebook for various problems with privacy on the site.  The report addressed several aspects of privacy on Facebook, including data access by third-party applications.

One item in the report, though, concerned data retention by Facebook.  As TechCrunch describes:

The organization and Commissioner’s main concern is that Facebook provides confusing or incomplete information about its privacy practices, like not giving users to opportunity to complete wipe out their accounts instead of merely deactivating them. Stoddart also criticizes Facebook’s policy of indefinitely keeping the personal information of people who have done just that.

Commissioner Stoddart is not the first to raise this issue, as it’s been a subject of debate for some time.  However, I have not heard many people discuss a related aspect: data retention by third-party applications.

Unfortunately, with the way the Facebook Platform is currently structured, applications receive no notification when a user removes an application’s access to their data or shuts down their Facebook account.  Consequently, an application developer has no way to determine when a user has “uninstalled” the application, and thus for most applications, data retention lasts forever.  You can see this in action by removing an application then later authorizing it again: all of your data generated within the application will likely remain.  For some applications, this data continues to be accessible to other users even if you’ve uninstalled the application.

And this is not simply a Facebook problem.  From what I understand so far, the same issue applies to OpenSocial platforms, such as MySpace.

Granted, there’s not simple solution to this problem, but as concerns grow over the amount of data shared on social networking sites, third-party data retention policies will have to enter the discussion at some point.  One can argue that each application developer is responsible for their own policies, but most applications probably have no policy, and lack of notification on uninstall makes any policy difficult to implement.

Update (8/26): Upon further research, I discovered that I was quite incorrect with this blog post; my apologies to Facebook for making an erroneous statement about the Facebook Platform.  Facebook does, in fact, allow developers to set a post-remove URL which is notified when a user removes an application.  Apparently my experience has mostly been with applications which do not take advantage of this feature, meaning the issue primarily lies with application developers, not Facebook.  I do wonder how many applications actually remove data upon uninstallation.